You are on page 1of 5

How to make a crack for software

If you've ever wondered how software pirates can take software and crack it time and time again, even with security in place, this small series is for you. Even with today's most advanced methods of defeating piracy in place, it is still relatively easy to crack almost any program in the world. This is mainly due to computer processes' ability to be completely manipulated by an assembly debugger. Using this, you can completely bypass the registration process by making it skip the application's key code verification process without using a valid key. This works because assembly allows you to speak directly to the processor and force a skip over the registration process. In this Null Byte, let's go over how cracking could work in practice by looking at an example program (a program that serves no purpose other than for me to hack). I will not be walking you through how to actually crack a legitimate program, because I can't just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it's a test of your morals if you want to use your knowledge for good or bad. Requirements

Windows (for examples only, debuggers exist across platforms) A debugger installed: IDA, ollydbg, etc. (ollydbg will be used in examples)

Step 1 Test the Program

First, run the program that you are attempting to reverse engineer and try to activate it with a random key to verify that you need a valid software key to proceed. This is to verify that we can come up with the keys.

Step 2 Run the Program in a Debugger

1. 2. 3. 4. 5. Run ollydbg. Open up the program you wish to bypass with ollydbg. Click the play button to run the program with the debugger attached. Right click the CPU window, and click Search For > All intermodular calls. Search for high interest DLLs. GETDLGITEMTEXT, will be for dialog boxes, which get called when you try to enter a software key. By stepping into the function with the debugger, we can examine the registration specifically. SENDDLGITEM could be used as well.

6. Test to see which one works to break out of the activation loop by right clicking the DLL call and setting a breakpoint for all instances of that call.

7. Resume the program and enter any software key you feel like. If the debugger breaks (pauses the program's execution) after entering your key, then you know you found DLL in step 5. 8. Press F8 back in the CPU window to force the next step until you get to the TEST EAX. EAX is the return of a value, which means that a check is being performed here. Upon examination, we can see that the EAX is checking for a number that is not equal to a null value. This means that if it is replaced with anything other than null, it will run.

9. Right-click the EAX and change it in hex value to 1, instead of 0.

10. Resume the program again, and you will have successfully activated the program.

And for proof it was registered to me:

This works because you are making the process jump from one register and skip the one that verifies the key entered. To exploit the key registration algorithm, keep an eye out for part two of this tutorial on making the key generator. Hooray for assembly!

How to generate keys

If you've ever heard software piracy terminology being discussed, I'm sure the term KeyGens came up. KeyGens is short for key generator, which is a program that exploits algorithmic faults in software by generating software license keys that appear to be genuine. Normally used as a technique to protect the source code software and prevent piracy, a key generator exploits the key algorithm to effectively nullify the need for any software licenses. For example, we must try to find patterns in the keys, such as three 5s in every key, all even numbers, etc. Any way that the program could validate a program without being online could be a way that software is protected. Normally, something like this would be of no use, but everything has its purpose. Suppose that you lose source to one of your programs, wouldn't you want to have the ability to reverse it and recover the source code? Alternatively, if you made a tool that people enjoyed, and

decided to sell it via licenses, you need to check it for vulnerabilities such as these to mitigate the chances of your own software being stolen. In today's Null Byte, let's go over how a KeyGen could work by cracking the algorithm used to verify software keys in a few examples. I will not be walking you through how to actually crack a program, because I can't just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it's a test of your morals if you want to use your knowledge for good or bad. You must follow The Hacks Behind Cracking, Part 1 through until just before the final step, and then you can begin the tutorial below.

Step 1 Step Into the Function

1. Run the program with the debugger and resume where you are asked to enter the key again with an interrupt on it. 2. Strike F7 to go inside the function. 3. Keep striking F7 until you find the credentials and key you entered in the disassembler again, followed by a jump. 4. Shortly thereafter, you should find CMP 2D, DL, or something similar. This is the function that is validating our key.

Step 2 Start Reversing for the Key

1. You should see a bunch of CMP and shorts on the screen, likely alternating in pattern. 2. Click on, and examine CMP and what it is looking for, as opposed to what you entered.

3. This shows that it is looking for a dash, so let's try adding a dash anywhere in the key we are testing to see how far we can get in the validation. Remove all breakpoints and set a new one here.

4. Scroll down to the next null byte and find the one where the EAX is equal to the first part of your serial in decimal. You can use the converter built in to the Windows calculator.

5. Remove all previous breakpoints and set the new breakpoint to the CMP section that, when clicked on, shows our key value in hex being compared to the value it should be (because keys are generated based upon the name entered in the registration process).

6. The value here is actually the first correct part of the key written in the field, so if we convert it from hex to decimal, we now have the next part of our key. Set your new breakpoint, and rinse and repeat the past two steps until you receive a full key code and register successfully. To make a key generator program, you have to repeat the steps at least one or two more times with different usernames so you can get different and working keys. These keys will be compared and examined for commonalities for algorithmic reversing. I hope you learned something.